fibratus/rules/initial_access_potential_clickfix_infection_chain.yml at master · rabbitstack/fibratus · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
name: Potential ClickFix infection chain
id: ffe1fc54-2893-4760-ab50-51a83bd71d13
version: 2.0.1
description: |
  Identifies the execution of the process via the Run command dialog box, Windows Console shortuct, or Explorer address bar
  followed by spawning of the potential infostealer process.
  This could be indicative of the ClickFix deceptive tactic used by attackers to lure victims into executing
  malicious commands under the guise of meeting pages or CAPTCHAs.
labels:
  tactic.id: TA0001
  tactic.name: Initial Access
  tactic.ref: https://attack.mitre.org/tactics/TA0001/
  technique.id: T1566
  technique.name: Phishing
  technique.ref: https://attack.mitre.org/techniques/T1566/
references:
  - https://blog.sekoia.io/clickfix-tactic-the-phantom-meet/
  - https://blog.sekoia.io/clickfix-tactic-revenge-of-detection/
  - https://detect.fyi/hunting-clickfix-initial-access-techniques-8c1b38d5ef9b

condition: >
  sequence
  maxspan 2m
    |spawn_process and
     ps.parent.name ~= 'explorer.exe' and length(ps.args) >= 2 and
     ps.name iin ('cmd.exe', 'powershell.exe', 'pwsh.exe', 'wget.exe', 'curl.exe', 'msiexec.exe', 'mshta.exe', 'wscript.exe', 'cscript.exe', 'msbuild.exe') and
     (thread.callstack.summary imatches
                              (
                                'ntdll.dll|KernelBase.dll|kernel32.dll|windows.storage.dll|shell32.dll|user32.dll|shell32.dll|explorer.exe|SHCore.dll|*',
                                'ntdll.dll|KernelBase.dll|kernel32.dll|windows.storage.dll|shell32.dll|windows.storage.dll|shell32.dll|user32.dll|shell32.dll|explorer.exe|SHCore.dll|*',
                                'ntdll.dll|KernelBase.dll|kernel32.dll|windows.storage.dll|shell32.dll|windows.storage.dll|SHCore.dll|*'
                              ) or
      (thread.callstack.summary imatches '*shell32.dll|explorer.exe|*' and thread.callstack.symbols imatches ('*shell32.dll!GetFileNameFromBrowse*'))
     )
    | by ps.uuid
    |spawn_process and ps.exe not imatches
                              (
                                '?:\\Program Files\\*.exe',
                                '?:\\Program Files (x86)\\*.exe'
                              )
    | by ps.parent.uuid
action:
  - name: kill

output: >
  Potential infostealer process %2.ps.exe delivered via ClickFix infection chain
severity: high

min-engine-version: 3.0.0